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SUBJECT Security Requirements for Automatic Data Processing 
(ADP) Systems 

Refs: (a) DoD Directive 5100.40, "Responsibilities for the 

Administration of the Automatic Data Processing 
Program," May 18, 1970 

(b) DoD Directive 4105. 55, "Selection and Acquisition 

of Automatic Data Processing Resources, " 

May 19, 1972 

(c) DoD Directive 5135.1, "Assistant Secretary of 

Defense (Telecommunications), " January 11, 

1972 

(d) DoD Directive 4630. 1, "Programming of Major 

Telecommunications Requirements," April 24, 

1968 • 

(e) through (1) see enclosure 1 


i 


PURPOSE 

A , T his D i r e c ti v e : 

1. Establishes uniform policy for protecting classi- 
fied data stored, processed, or used in, and 
classified information communicated, displayed, 
or disseminated by an Automatic Data Process- 
ing (ADP) System, including systems capable ot 
time or resource sharing, having remote access 
input/ output (I/O) terminals, and containing all 
levels of classified material. 

2. Permits the application of access and distribution 
limitations imposed on classified data and informa- 
tion, in addition to the controls required by the 
security classification of the material. 


i i 
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specifies conditions and prescribes security requirements 
under which ADP Sy stems will be operated when handling , 
classified material and assigns responsibility for the testin' 
evaluation, and approval of such systems. 


Provides for the application oi administrative, physical, and 
personnel security measures required to protect ADP equip- 
ment, material, and installations (resources) from inadvert- 
ent oi deliberate. compromise, theft, damage, or destruction. 


Authorizes the publication of (a) a Department of Defense 
Manual of Techniques and Procedures for Implementing, 
Deactivating, Testing, and Evaluating - Secure Resource 
Shai ing ADP Systems (o200, 28 -M), and (b) a Department 
of Defense Computer Security News Letter which will 
provide periodic information about on-going secure ADP 
System implementation and testing or other related ADP 
security matters of DoD-wide interest. 


objectives are to establish that: 

Security controls for ADP System's" are 'inter i: elated' withal 
■nox mul intj.qrnai . system controls',"' such as, input/output 
controls, program execution controls, operating controls, 
and internal check procedures. 


The reliability, integrity, and operation of an ADP System 
is enhanced by the imposition of many of the controls which 
satisfy security requirements. 


jTIie ^S'ic'ADPrSysiem reliability and integrity features 
must be augmented to assure that systems which process, 

■ store, or use classified data and produce classified informa ■ 

tion Will.;;\vith'reasbhabl'e;--depehda.bilityy ? prSventr' 


a. (Deliberate" OT’ i La d ve r £ e Hr Ad c e s s ■ f: o ^ clas SiIIe'cT rhaf&r ■ 

Aniautho r i zed pc f sons’,' anST" 

b. TJhau did r i zed friah ipiilat to n of" the ; co mpute'E land Btfs 
h^.,€^ciat..ed--j5e ; yi'plaeral • device 
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APPLICATION AND SCOPE 


The provisions of this Directive apply to the Office of the 
Secretary of Defense and to all Department' 'of Defense (Do! J) 


Components ( a he .Military- Departments^, Defense Agenci 


les , 


the Organizations of the Joint Chiefs of Staff, and Unified and 
Specified Commands) which handlp (process, store, use, or 
produce) .classified .iii.ater.ia3.' in ADP Systems?; and it covers 
;such s'ys terns: when "ope rated ' by contractor sJ and by computer 
service organizations providing contractual ADP services to 
DoD Components or their contractors. 


DEFINITIONS 

Terms used in this Directive are defined in enclosure 2. 
POLICY 


the protection of classified material in an ADP System shall 
be in accordance with that required in DoD Directive 5200. 1, 
and DoD Regulation 5200. 1 -R, references (e) and (f). Cda*$ - 
sified' material contained in an'ADP System? shall be safe- 
guarded byl the continuous employment of protective feature.? 
in the system's hardware ■'and:- software design’ and configura- 
tion.-, and by othep appropriate administrative, physical,^ 
personnel,! and communication security controls). The poten- 
tial cost of the ADP System dictates that the security policy, 
contained herein, be judiciously implemented, carefully 
managed, regularly reviewed, and continuously monitored to 
assure the most effective and economical use of the ADP 
System and related resources of the Department of Defense 
and, where applicable, of its contractors. 


Each Department' of Defense'; C omponent shall/ 

1. Assure that internal ADP. Systems conform to thd 
policy s taled he r e iii . 

2. Qbser.ve closely and use thd "ftindaniehthLco'mputelr 
security’ policy, concepts, and measures outlined 
in this Section and Section VT, when designing, pro- 
curing, adopting, or operating ADP Systems for 
the processing, storage, use, and production of 
classified material. 
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Assure that the diversity and complexity of Axis tin glDoD. 
fowned: APB'. System and those already designed for future 
placement which may not presently provide .for the. complete 
Compliance with tb e provisions oi this Directive contain 
;se curity measures which provide alternative solutions. to 
the security problems which, in part, are dependent upon 
the individual characteristics of the ADP System, and its 
usage. 


B. Generally, security of an ADP System is most effective and 
economical if the system is designed originally to provide it. 
Each Department of Defense Component undertaking design of an 
ADP System which is expected to .process, store, use, or 
produce classified material shall: 

1. From the beginning of the design process, consider the 
security policies, concepts, and measures prescribed in 
this Directive. 


2. When evaluating alternative design approaches, consider 
together the functional system, the ADP equipment, the 
telecommunications facilities, and the security require- 
ments. Select for implementation the design alternative 
offering the most economical balance of elements which 
meet the total system requirements. 


C. Recognizing both the validity of the security requirements in this 
Directive and the difficulty involved in their application to 
currently installed and already designed ADP Systems, a DoD; 
Component' may" process,' ' store, . or use classified data 'and pro*- 
du ce c la s s if i e cl .info r m at i o n ...in ; an A DP - Sy s tern... that, is.;:? •• 


1 . 

JAGS 

AT 

75 


. rating .in.a .dedicated/rrjode. (encl. 2, 7. ) full txme oi for 
specific periods of time when all userq with access to the 
system have a clearance and need.-to -know - for. all .data and 
information - then contained in the syt> teni} 


a. In such cases the requirements of Section VI. ai e 

normally fulfilled by the access, personnel, administra 
tive, physical, and communication security controls 
.established for (1) the Central Computer Facility, ( 2 ) 
the ADP System's interconnecting communication rinks, 
(3) all peripheral devices, (4) input/ output 1 terminals > 
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b. 


and (5) remote terminal areas connected to the system. 
.These 'controls shall be -in conformity with those required 
for. the protection of the.. highest „cla s sification and rnos> 
gtr ingent: a c;ce ss restric.tipns.;as^igxie<.l. t.P the material! 


b,c.ing handled in the ' system,. 

After the User(s) has stored, or made proper disposition 
of all of the classified material and the media used to 
store the classified material has been secured or 
erased (declassified), the ADP System maybe returned 
to its original state or to an unclassified and undedicated 
state, as appropriate. 


2 . 


Ppersting':ih;'p."bOntrolled.:enyir.dhrnent in a security mode that 
the Designated Approving Authority (V, C.) or higher authority 
has determined will achieve and maintain the degree of seed” 


o’ity that, j s...cousisteni; . with the intent of this Directive}.. 


3. (Operating in a.trxie narilti-level security rnode*(encl. 2, 10. ) 
using all essential hardware / software security features in 
the ADP System, in addition to the administrative, physical, 
personnel, and communication security controls needed to meet 
the requirements of Section VI. and the overall intent of this 
Directive. (Techniques and procedures which can he used to 
secure, test,and evaluate resource sharing ADP Systems are 
contained in DoD Manual 5200. 28-M.) 


The -head of a DoD Component or his Designated Approving/ 
Authority (V. C. ) may authorise .'temporary exceptions, to 
Specific security measures which they have' determined 
would impair "operation. .arid "mission' effectiveness/ pro- 
vided he assures that continuous progress is made 
toward the ultimate full compliance with the Directive at 
the earliest practicable time. Authority ' to!. a'U'thor iz$ 
tb.cse. temporary exceptions . shall not be. further delegated* 
(Also see subsections 1 and 2 above.) 


b. Temporary exception's. to specific 'se cur ityhhiea sure s ’for 
ADP Systems which contain" compartme nted intelligence 
ter; SIOP-ESX, however, shall be subject’to the. prior ap- 
proval of the appropriate authority; ;i.n Sections,. V. F. G /, 
■ and ,11.,, .be low J (J'AQ£^r o K. y 2>ZA\ 
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personnel of a Conoponen^n^s 

operation and control of ti V be prescribed by. the 

for the. A DP Sy:r.t.crn> 

authority ,xoa p.ous loro s ^Vbe agreed to and implemented be- 

Such security measures abaUbe, terminal may be 

fore the user’s peripheral device ox 
connected to the ADP System. 

-rn n mmoonents 1 ADP Systems become a 
When one or more DoD Co l . ( the Intelligence 

part of a larger teleprocessing under the co g- 

Data Handling System Comixnm Command and Control 

nizance of D1A or the Worldwide ^ approva l and the 

Systems under the cognizanc . t secur ity measures 

author** to * the 

for the Components ADP by. ^ D - oD Component operating; 

concurrence and having over-aU respon- 

the ADP System and the DoD Com pone. 

sibility for the security of the network. 

& ' r above the authority- responsible for the over -abb 

As m C. above, i . k sha ll determine th* 

operation and control, cu we nctwoin _ be} 

- 1 for the SyrAc ms., .which arc to ..uo 

Hecv.ricy requiiemuit...^ — me asures shall be agreed 

coniicctcd.to the Ig AD p System is connected 

to and implemented befoie 
to the network. 


1 . 


2 . 


This concept, however, d'oennot 

? equirp:only co 1 n ; n,mto^^^p^ such caS es, ^ &oD 
tions networks. sue - • _ System shall determine the 

Component that con ro . cla6sifiecl material handled in 

r”S S^r>. security me^re^to he agreed to 

and implemented in sue ca^e interface, and integration 

needed to insure Ajhe eve op o^ ^ cos( ._ effcctive transmission 
of secure, reliable, needed to meet the com- 

and communication lines * d telecommunications network 

muni cation requirement of the lee 
supporting the ADP System (see F. below). 

Transmission and communication ^s «d Hi* ADP^ 

secure * ■ a °“™, appropriate for the mater- 

System shall be secuie ^ _ •, lines or links 

ial designated for transmi^sion^ir ^ 5> refere nce (g) 

reference (f). Telecommunications 
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G. 


H. 


X. 


J. 


K. 



M. 


/V 

>'A 


N. 


facilities supporting A DP Systems shall meet the security criteria 
used lor the Defense Communications System and the criteria 
for equipment interfacing with such systems. 


Measures to control compromising emanations shall be approved 
under the provisions of DoD Directive S-5200. 19, reference (h), 
by the cognizant authority within the Component operating the 
ADP System. These measures within industrial ADP Systems, 
however, shall be applied only at the direction of the contracting 
activity concerned under provisions of O. , below and such require- 
ments shall be included in the contract. 


Disconnect procedures', I when required to protect classified mate- 
rial contained in the ADP System, shall be used to disconnect 


remote I/O terminals and peripheral devices 
by a hardware or - softwar e method authorized 
Approving Authority (V. C.y). 


from the system 
by th e De's ignat ecjr 


Procedures and basic safeguards prescribed in DoD Regulation 
5200. 1-R, reference (f), for the transmission, processing, 
handling, storage, and disposal of classified information 
apply to the protection of classified end products produced by 

the ADP System. 


Security measures for ADP Systems which are integral oi 
adjunctive to the control of weapons, communications, or to 
tactical level data exchange systems, shall be established 
concurrently with the design and development of the system using 
fundamental security concepts outlined in this Directive. 

When RESTRICTED DATA or FORMERLY RESTRICTED DATA 
is introduced into an ADP System, appropriate personnel and 
physical security measures shall be implemented m conform- 
ance with DoD Directive 5210. 2, reference (i). 


Measures, to. protect compartmented, intelligence co 
an ADP System shall also meet the minimum /sj? cur 
p) exits, of DC ID Rio.... 1/16 ,. reference - (h) J 


ntaihe.d in/ 
ity requir.p- 


Measures to protect SIOP-ESI, contained in an ADP System, 
shall also meet minimum security requirements of SM 212-72 


reference (1) . 


for which systems, of cprApartmentati on or handling are/ 
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formally established shall, not- be introduced .-into any. existing AD? 
System that, has, not -been dedicated, to » ; or. .'de signed undmppro ve'd 
for ,.. the. .handling'- of wompartrr.enfced intelligence^ SLOP -ESI, or 
such other information, except or., until*: 

1. The r os poiihible 'particle within, or between, concerned DoD 
Components or elements of a DoD Component, have assessed 
fbe. impact, including costs , of ..the ^security ..measures to be 
added to the system by reason of the introduction of such 
material into the ADP System; and 

2 . The Designated Approving Authority- (V. C. ) within the DoD 
Component which operates the ADP System has agreed to the 
conditions and implements the sdcuruty measures' required 
for such operations; and 

I 

3. The. concerned activities have established contingency plans, 
schedules, priorities, and agreements to assure the most 
effective operation of the ADP System in support of DoD 
objectives, have determined those emergency conditions 
which will affect priorities, and have provided directions 
under which security measures . are waived. in fav.or;; of 
operational necessities}; and 

4. Approval of the ADP System" has "'been "obtained in accordance' 

with Subsections .AT F. ■ G. , and'H./ j>/A APPROVAL 


O. Subject to the provisions of Subsections V. F. , G. , and I-I. , 

? EC Pv.ET, mate ria..F or material having special coh'- 


below, TOPS 


trols ^indicating restrictive handling for which systems of 
compartmentation and handling are formally established shall 
hot be introduced into, a contractor's ADP System except when 
the system is operating in a' dedicated modef and under such 
other restrictions as shall be determined jointly by the con- 
tracting DoD Component and the DSA. Applicable restrictions 
and instructions shall be included in the contract. 


P. Whenever material requiring special controls (L. and M. above) 
is withdrawn from the ADP System, or when the required level 
of protection is reduced for any other legitimate reason, the 
system shall be operated under the controls appropriate for the 
material remaining in the system. 
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responsibilities 

A r* A s distant Secretary of Defense (Comptroller:) (ASD(C)), 

or his designee for this purpose, in addition to the-over-all 

ADP responsibilities assigned under DoD Directive 

reference (a), shall: 

1 Develop and monitor over-all security policy, standards, 
and criteria applicable to ADP Systems under this 
program in accordance with DoD Directive 5200 1 and 
DoD Regulation 5200. 1-R, references (e) and (f). 

2 Publish and maintain in up-to-date form, a Depart 

’ ment of Defense Manual 5200. 28-M, '-Techniques and 
Procedures for Implementing, Deactivating, resting, 
and Evaluating - Secure Resource Sharing ADP System, 
and periodically publish a "Department of Defense Com 
puter Security News Letter", providing information on 
ADP security matters of DoD -wide interest. 

Establish a central DoD capability for. 


3. 


a. 


b. 


Assisting and advising DoD Components m ADP 
System security testing and evaluation; 

Assessing progress of DoD Components toward 
development and effective, installation of secure 
ADP Systems. 


4 . 


Assure that potential commercial suppliers, .ol AD, 

resources; (DoD Directive 4105. 55, reference (b)) m-.e 
apprised of these and any subsequent security require 
merits so that security features, may be considered by 

the procurement authority in the acquisition of new 
ADP Systems or equipment,! and commncwrn 
research and development may be directed toward 
improved computer security techniques in me imme- 
diate future.,/ 


5. 


t the Department Of Defense on Interagency 

A 1 I 




ComxnitteesT engaged in the development of policy 

and criteria for implementing, deactivating, 




standards, 


testing, 


and evaluating secure res 


ource -sharing ADP 
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C. 


6. Act as Chairman of an ADP System Security Task Force 

made up of representatives from the intelligence, telecom- 
munications, command and control, and collateral (Army, 
Navy, Air Force and Defense Agencies) communities that 

shall review, evaluate, and recommend adoption of policy, 
standards, criteria, tools; and techniques that shall have 
application to more than one DoD Component or industry for 
securing, testing, and evaluating ADP Systems designated to 
handle classified information. 

The Assistant Secretary of Defense (Telecommunications), in 
accordance with responsibilities assigned under DoD Directive 
5135. 1, reference (c), shall insure that adequate mechanisms 
exist for the development and procurement of integrated secure 
means of telecommunications in support of secure ADI Systems. 

The- Head of each DoD Component shall*: Designate an official(s') 
as a Designated ..Approving .Authority (c. g. , a . Senior ADP Policy 
Official/ designated under DoD Directive 5100.40, reference (a),^ 
etc. , ) to approve. ADP Systems for the. processing,' 'use, ; storage h 
•and production of classified material under their jurisdiction. 

It shall be the responsibility of each Designated Approving ■ uxhor- 
itv to:' rSevilorAPF Policy OPhcai rtf' M - 4>A (rM) 


1 


) 

■ ( 


\A$P 






2 . 


Assure that such ADP Systems meet and maintain tne "re- 
quirements prescribed for. the system', and that the con- 
tinued approval of the system is contingent upon the results 
of a recurring review, testing, and favorable evaluation of 
the security features and cost effectiveness of the system. 

Manage, or ;' £tssigii responsibility to’ srrbordinate organiza - ^ 

tions to manage, ;the implementation of ADP System security 
policy and., the testing and. evaluation of the security-features 
of ADP Systems. under their jurisdiction. 


■3. 


Provide' for" the -appointment - of .-a responsible ADP System 
/Security Officer for each ADP System approved' for thte 


.handling of classified niaterialv t\jO'f 


\A- W 


' OMi PA A TM^NjBb 


/ 


D. 


The Secretary of the Navy, in addition to the responsibilities 
outlined in C. , above, through the DoD Computer Institute 

(DoDCI), shall also provide training for ADP System users, com- 
puter specialists, and security specialists who will be engaged m 
the development, management, and operation of secuie 
Systems. 
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The Director, Defense Supply Agency (DSA), shall also 
designate one or more officials to approve contractor ADP 
Systems for the handling of classified material, and when 
required, certify, on behalf of the Director, DSA, those 
industrial systems which meet prescribed requirements, 
to the responsible authority designated in Subsections F. , 

G. , and H. below, for approval; 

The Director, National Security Agency (NSA), shall: 

1. Adopt appropriate security measures consistent 
with the intent of this Directive for ADP Systems 
under his control, including those of NSA con- 
tractors. 

2. Provide DoD Components, as requested, communi- 
cations security assistance in support of effective 
ADP security measures. 

The ’.Director ,' De fense , Intellig ence' Agenc y ( DI.A ) , -"shall*: 

1. Approve’ as required, ADP Systems of DoD’Gornf- 
ponenis and their contractors , except for the 
systems under the cognizance of the NSA which 
operate in the. compar talented mode, of operation 
as defined in DCID No. 1/16, reference (lc), to' 
proce s s , store , vise or produce "cbmpar talented' 
.intelligence/ 

2. Advise the Director , Joint. Staff , of those ADP/ 
Systems which have. been accredited .under. DCID 
No.. .1 / 16, . reference (k) i(see G. 1, , above) which 
alsoTianSie SIOP-ESI. 

The Director, Joint Staff, shall monitor implementation 
of security policy, approve ADP Systems, and permit 
temporary exceptions to security measures, as required, 
for ADP Systems of DoD Components and their con- 
tractors which will process, store, use, or produce 
SIOP-ESI under the provisions of SM 212-72, reference (1), 
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MINIMUM REQU I REMENT 'S 

A. The objectives? of this Directive will be accomplished by 

ADP System Security Features and Measures that insofar 

a b ■ p oh s ibl'ei p r o vide : 

1. Individual Acc ountability. Each User's, identity shall 
be positively.. established, and his access to the sys- 
tem, and his activity in the system (including mate- 
rial accessed and actions taken) controlled and open 
to scrutiny. 

2. Environmental Con trol. The ADP System shall be 
Externally prqtectedjto minimize the likelihood of 
unauthorized access to sys'tem entry points, access 
to classified information in the system, or damage 
to the system, 

3. System Stability . All elements or components of 
the ADP Systems shall- function in a cohesive, 
identifiable, predictable, and reliable manner so 
that malfunctions are detected and reported within 
a known time, 

4. Data Inte g rity . .Each file or collection of data in 

the ADP System shall have an identifiable origin and 
use. Its accessibility, maintenance, movement, 
and disposition shall be governed on the basis of 
security classification and need -to-know. 

5. System Reliability. The system shall function so 
that each user has access to all of the information 
to which he is entitled, but no more. 

6. Communication Links. These links and lines shall 
be secured in a manner appropriate for the material 
designated for transmission through such lines or 
links . 

7. Classified Material. Such material handled and pro- 
duced by the ADP System or stored in or on media 
for recording classified material shall be safe- 
guarded as appropriate for the classification assigned 
to the information. 
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B. 


The principles in Subsection A. , above, shall be imple- 
mented by the application of appropriate security meas- 
ures, Application of such measures shall be the basis for 


the initial testing anci evaluation leading to the approval or 
disapproval of the ADD System, These security measures 
are to be upgraded as experience and new techniques are 
acquired under actual operating conditions or as a result 


of follow-on testing and evaluation procedures. (S pin'd of 
the techniques „a'nd fncas ur.eh which may be us ed""to" seburfe 
systems ope r ated in the multi •• ie ve 1 Se c:ur ity ; j Mpd.a .ari 
contained, in Dop .IVian.ual 5200, 28-Mi ) 


VII • EFFECTIVE DATE AND IMPLEMEN TA TI O N 


This Directive is efiective immediately. Two (2) copies of 
each implementing document shall be forwarded to the 
Assistant Secretary of Defen.se (Comptroller) within ninety 
(90) days. One copy shall be appropriately marked to 
indicate the implementation of' all parts of this Directive, 



Enclosures - 2 

1. List of References (Continued) 

2. Definitions 


Approved For Release 2004/02/10 : CIA-RDP79M00096A0001 00070001 -8 


1 "i 



Approved For Release 2004/02/10 : CIArRDP79M00096A0001 00070001 -8 

5200. 28(Encl 1) 
Dec 18, 72 


(e) DoD Directive 5200. 1, "DoD Informations ecurity Program, " 

June 1, 1972 

(f) DoD Regulation 5200. 1 (R), "DoD Information Security Pro- 

gram, " June 1, 1972 

(g) DoD Directive C-5200. 5, "Communications Security (COMSEC) 

(U), " April 13, 1971 

(h) DoD Directive S-5200. 19, "Control of Comp romising Emana- 

tions (U), " February 10, 19.68 - • j 

(i) DoD Directive 5210. 2, "Access to and Dissemination of 

Restricted Data, " October 18, 1968 

(j) DoD Directive 5220. 22, "Department of Defense Industrial 

Security Program, " July 30, 1965 

(k) DC ID N o, 1 / 1 6 1 "Security of Compartmented Computer 

Operations," January 7, 1971* 

(l) SM 212-72, "Policy for Safe guarding the Single Integrated 

Operational Plan," (U), May 12, 1972* 


* Copies available on a need-to-know basis from Director, Defense 
Intelligence Agency or the Director, Joint Staff, OJCS, as 
appropriate. 
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definitions 


A 


ccess 


b. 


The ahility and the means to approach, communicate with (input 

rial orT 1Ve ?"* ^ ’ 01 make use of any mate- 

rial oi component m an ADP System. Y Z 

Au toma ti c Data Processing (ADP) System 

An assembly of computer equipment faHliHo c , 

ware, and procedures configured for the nu- in’ pe f s ° nnel * soft " 
sorting calculating, computing, summ^h 

r; h .* of human inter- 

are the totality of Automatic Dati tc . 01 pulposes of uhls directive 
and include: 1C D * U Processing Equipment (ADPE) 

a. General and Special purpose computers (e.g. , digital 

analog, or hybrid computer equipment); b ' 

CommerciaUy available components, those produced as a 
les at of Research and Development, and the equivalent 
systems created from them, regardless of sice edacity 

storage 0 'pro 1 ’ *** *» the c «ation, collection, 

nation of ^ ^ 

Auxiliary or accessorial equipment, such as, data communi- 
niertT ermina ) s ' 6 ° urce data automation recording equip- 

taoo tin" g ’ ° ptlCal chara cter recognition equipment, paper 
ape typewriters, . magnetic tape cartridge typewriters and 
o her data acquisition devices) data nutnnt • " 

digital plotters and computer output microfiwT etc Z'to 

equipment "eiu 01 * ° f dl S lta1, analog, or hybrid computer 
self~hg cable - connected, wire-connected, or 

Electrical accounting machines (EAM) used in coniunction 
XrZ Z; PendentlY 0t dig,tal > - W com- 
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e. 


Computer equipment which, supports or is integral to a 
weapons system. 


AD P System Securit y 

Includes all hardware/ software functions, characteristics, and 
features; operation procedures, accountability procedures, and 
access controls at the central computer facility, remote com- 
puter and terminal facilities; and, the management constraints, 
physical structures, and devices; personnel and communications 
controls needed to provide an acceptable level of protection for 
classified material to be contained in the computer system. 


Central Computer Facility 

One or more computers with their peripheral and storage units , 
central processing units, and. communications equipment in a 
single controlled area. This does not include remote computer 
facilities, peripheral devices, or terminals which are located 
outside the single controlled area even though they are connected 
to the central computer facility by approved communication Enks. 


Com pa rt m e nte d Intelligence includes only that intelligence mate 
"rial" having special controls indicating restrictive handling for 
which systems of compartmentation or handling are formally 
established. 


C ontained 

"Contained" refers to a state of be ing within limits, as within 
system bounds, regardless of purpose or functions, and 
includes any state of storage, use, or processing. 

Dedicated Mode 

An ADP System is operating in a dedicated mode when the central 
computer facility and all of its connected peripheral devices 
and remote terminals are exclusively used and controlled by 
specific: users or groups of users for the processing of a particula 
type ( s) and category(ie s) of classified material. 

Intelligence 

Intelligence is the product resulting from the collection, evalu- 

a ti(AppiaJsraUyls6eR0te^gi2OiO4/O2/fO^AtRE^M0§6al)(5^oyii^M^^ On 
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concerning one or more aspects of foreign countries or areas, 
which is immediately or potentially significant to the develop- 
ment and execution of plans, policies, and operations. 

Material 

"Material" refers to data processed, stored, or used in, and 
information generated by, an ADP System regardless of form 
or medium, e.g., programs, reports, data sets or files, 
records, and data elements, 

Multi-Level Security Mode 


An operation under an operating system (supervisor or execu-. 
tive program) which provides a capability permitting various) 
levels' a.nd categories or compartments of material, to bd 
.concurrently storea and processed in' aa ADP System J In a) 
remotely accessed resource -sharing system-, the material 
can be selectively accessed and manipulated from variously 
controlled terminals by personnel having different security 
clear an ces and access approvals.) This mode of operation/ 
can accommodate the concurrent processing 'and storage off 
,(a) two or., more levels of classified data, or (b) one or more/ 
levels of classified data With unclassified data 1 depending' upod 
the constraints placed on the systems by. the,. Designated? 
Approving Authority (V. C, )J 

Operating System (O/S) 

An integrated collection of service routines for supervising 
the sequencing and processing of programs by a computer. 
Operating systems control the allocation of resources to a 
user and their programs and play a central role in assuring 
the secure operation of a computer system. Operating systems 
may perform debugging, input-output, accounting, resource 
allocation, compilation, storage assignment tasks, and other 
system related functions. (Synonymous with Monitor, Execu- 
tive, Control Program, and Supervisor. ) 

Resour ce -Sharing Computer System 

A computer system which uses its resources, including input/ 
output (I/O) devices, storage, central processor (arithmetic 
and logic units), control units, and software processing capa- 

ipprovld 
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process co-resident programs in an apparently simultaneous 
manner. The term' includes systems with one or more of the 
capabilities commonly referred to as time- sharing, mu i- 
programrning, multi-accessing, multi-processing, or 
concurrent processing. 

■ 3 ■ Remotely Accessed Resource-Sharing C o m^ute 

A computer system which includes one or more central proc- 
e s a ing units , pe riphe ral device s, rem ote te rminals , an 
communications equipment, or interconnection links, whic 
allocates its resources to one or more user, and which can , 
be entered from terminals located outside the central com- 
puter facility. 

Additional definitions applicable to techniques and procedures for 

implementing, deactivating, testing, and evaluatmg secure resour 

sharing ADP Systems are contained m DoD Manual 520 . 
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ASSISTANT SECRETARY OF- DEFENSE 

WASHINGTON, D.C. 20301 


co»naou.Eft 


DoD 5200. 28-M 
ODASD(SP) 


FOREWORD 


This publication, DoD 5200. 28-M, ". Techniques and Pr o cedure.S-_ £or 
Implementing, Deactivat ing. .-Testing. . and Evaluating - Secure 
Resource -Sharing ADP Systems, " is issued under the authority of 
ancTTn accordance’ with DoD Directive 5200, 28, "Security Require- 
ments for Automatic Data Processing (ADP) Systems." This manual/ 
is effective immediately and is : applicable -to" all Department of 
Defense Departments ;and Agencies, the Organisation of the' Join t- 
Chiefs of. Staff, • and the Unified and Specified Commands Which process* 
use, or store classified data, or generate classified information, in/ 
y es our c e -sharing ADP systems/. Its provisions are equally applicable 
to DoD operated systems, contractor operated systems, and to com- 
puter service organizations providing contractual ADP services to the 
Department of Defense or its contractors . This manual implements / 
DoD Directives <ahd Instructions and takes precedence, over conflicting 
instructions :t It establishes uniform guidelines for techniques and 
procedures to be used when implementing, deactivating, testing, or 
evaluating secure resource -sharing ADP systems find, when applica- 
ble, components of such systems, without the' iidee's si ty’ .'of fur then' 
formal issuance "by 'any DoD Component! The Pleads of D oD Coiuponents 
may, however j augment "this ■manual 1 ’ to meet their needs by. prescribing 
more detailed guidelines and instructions for their systems which are 
not inconsistent, with this manual and DoD Directive 5200. 28, Two 
copies of each supplemental, instruction issued by a Component shall be 
forwarded, immediately following publication, to the Deputy Assistant 
Secretary of Defense (Security Policy), OASD(C). One copy shall be 
appropriately marked to indicate the part of the manual which is being 
augmented. 'Recommendations for revisions cr amendments to this 
' .publication should be addressed through appropriate channels to the. 
Deputy Assistant Secretary of Defense (Security Policy), OASD(C). 


N 
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Assistant Secretary of Defense 
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SECTION I 

GENERAL PROVISIONS 
Part 1. INTRODUCTION 


1-100 O bjective 


The security of the United States depends in part upon the proper safe- 
guarding of classified data processed, stored, and used in or classified 
information produced by ADP Systems. Safeguard* applied to ADP 
Systems Include all hardware/ software functions , characteristics, and/ 
features; operational procedures, accountability procedures , 'and acces* 
controls at the central computer facility and remote, computer mid- 
terminal facilities'; and the management constraints and physical 
structures and devices, needed to provide an acceptable level of pro- 
tection for classified material {data or information} contained m the 
computer, system. 

a. The objective of this manual' is to provide guideline's and establish 
techniques and procedures which can be used. to: 


1. Implement secure resource- sharing ADP . System V so that 
with reasonable dependability, deliberate ox inadvertent access to 
classified material by unauthorized personnel or the unauthorized 
manipulation of the computer and its associated peripheral devices 
. which could lead to the compromise of classified information, can 
■be prevented; 


2 . Develop; acquire, and : e stab lislfmethodolo gie sy technique*’, . 
standards .find procedures fot the design, analysis, testing, evaluation, 
and approval of the. s e curity feature s"'fd r’reso ivr ee - sharing ’ADP Systems 


3. Establish” m’etho'do logics , techniques, and procedures for the 
physical protection of ADP Systems and components; and, 


4. 


Pro scribe "Standards’ , 


criteria, and specifications for de- 


activating secure 
ponents for dispo 


ADP Systems and the sanitization of system com 
sition or utilization in unsecured environments. 


1 

Approved For Release 2004/02/10 : CIA-RDP79M00096A0001 00070001 -8 


Approved For Release 2004/02/10 : CIA-RDP79M00096A0001 00070001 -8 


h. The potential means by which a computer system can be adequaxexy 
secured are virtually unlimited. The safeguards adopted must be con- 
sistent with available technology, the frequency of processing, the clas- 
sification of the data handled or the information to be produced, the 
environment in which the ADP System operates, the degree of lisk 
which can be tolerated, and other factors which may be unique to the^ 
installation involved. Rigid adherence to all techniques, methodologies, 
and requirements discussed in this manual could adversely impact up- 
on the present and future use of the system under today s rapidly 
changing ADP technology. This technology is dynamic and the methods 
chosen to secure a particular system must accommodate new develop- 
ments without degrading the level of protection. 


c. The techniques, methodologies, and procedures m this manual/ 
however, represent" an approved method of securing a remotely a.&- 
pessed re source -sharing' computer system in a 'multi-level- security 
mode as prescribed by DoD Directive 5200 . 28 , "Security Requirements 
for Automatic Data Processing (ADP) Systems." It is understood that 
all of trie te Chniqu.es " 'described' in thi s'. manual may not be econora ica lly 
.justified after a cast versus risk evaluation/ Therefore, selected 
subsets of the techniques included in this manual, with appropriate/ 
trade-offs , "may be used to "gain the level of security required low 
classification category , ' etc. , to be secured'. In addition, techniques 
not necessarily included in this manual may be used so long as such 
methods provide the degree of security specified in DoD Directive 
5200. 28 . 

d. The techniques and procedures described in this manual shall not 

• be applied to ADP Systems which cannot be retrofited without excessive 
■and unjustifiable costs or which can be dedicated and adequately secured 
for classified operations with reasonable administrative, personnel, 
physical and cornrnu.ni cation security controls* 


1-101 Authority and Scope 

a. This manual, authorized by the Secretary of Defense under the 
authority of the National Security Act of 1947, as amended, and E.O. 11652 
is established as a DoD manual published by the Assistant Secretary of 


.2 
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Defense (Comptroller) under the authority of DoD Directive 5200.1, 
dated June 1, 1972, DoD Regulation 5200.1(H), June 1, 1972, DoD 
Directive 5100.40,- dated May 18, 1370, as changed and DoD Directive 
5200.28. 


b. j.nis manual is applicable to the Office of the Secretary of Defense, 
all Department of Defense Departments and Agencies, the Organization 
; *of .the Joint Chiefs of Staff, and the Unified and Specified Command 
which process , use, or. store classified data or produce classified' 
information in resource- sharing AD? Systems/ Its provisions are 
equally applicable to Department of Defense operated systems, con- 
tractor operated systems, and to computer service organizations 
providing contractual ADP services to the Department of Defense or 
its contractors wherein classified data and information are to be 
handled in a resource-sharing ADP System. 


c. Ibis manual implements DoD Directives and Instructions and 
i-he security polici.es established by the Assistant Secretary of Defense 
(Comptroller) and takes precedence over conflicting instructions. It 
establishes uniform guidelines for the techniques and procedures to 
be used when implementing, deactivating, testing, evaluating, and 
approving secure resource-sharing ADP Systems. 


ch Recommendations for the clarification, revision, or amendment 
or this manual should be addressed with recommendations through 
channels to the Deputy Assistant Secretary of Defense (Security 
Policy), 0ASD(C) . 


1-102 R e s pons i b 1 1 1 1 i c s 

a., fhe Deputy Assistant Secretary of Defense (Security Policy), 
0ASD(C), is designated to fulfill the responsibilities in Section V.A. , 
DoD Directive 5200,28, "Security Requirements for Automatic Data 
Processing (ADP) Systems," and to: 

1. Approve all specialized security testing and evaluation 
(ST&E) tools and equipment validated for the joint usage of more 
than one Department of Defense Component or contractor; 

2. Advise, assist, and assess progress of Department of Defense 
Components in the development and implementation of effective security 
testing and evaluation (Sl’&E) programs; and 


3 
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3. 


Monitor administration of Component's ST&E programs. 


b. Component's Designated Approving Authorities, or their assignee 
for this ourpose, in addition to the responsibilities assigned m Section 
V. C. 1. , 2., and 3., DoD Directive 5200.28, will assure: 

1. Issuance ox instructions which fully explain the security 
requirements and operating procedures of each ADP System approved 
for the handling of classified material and the proper clearance and 
indoctrination, inapplicable security requirements and responsibilities, 
of all personnel who install, operate, maintain, or use such systems. 

2. Operation of each, ADP- System .under the controls prescribed 

for the . category(ies) of classified material contained in the system/ 

3. Where appropriate, the appointment of terminal area security 
'officer (s) J who will be responsible for performing applicable security 
functions at approved terminal areas which are an integral part o- an 
ADP System which contains classified material. 

4. Maintenance, of docurnentation'on -operating systems (O/S) . 

and all modifications thereto, and its retention for a sufficient period 
of time to enable tracing of security-related defects to their point o 
origin or inclusion in the system. 

5. Supervision,, monitoring, -and testing, ah' appropriate, of' 

changes in an approved ADP System which 'could affect the security 
features of the system, so that a secure system is maintained. 

6. Sstablishmehtddf -procedures to discover, recover", handle, ^ 

and dispose of classified material improperly disclosed through system 
m aliunction ; -qx ,po r s onrte 1 a ctioiu 

7. Proper disposition and correction of security deficiencies 

in all approved ADP Systems, and the effective use and disposition of 
system housekeeping "or audit records?, records of security violations 
or.;, security- related system malfunctions.! and records of tests of- 
the so curity feature s of- the ADP- Sys tern . 


4 - 
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8. Conduct of competent system ST&Ej, timely review of system 
ST&cE reports, and. correction of deficiencies needed to support con- 
ditional or final approval or disapproved of the ADP System for the 
processing of classified information. 

9. Establishment, where appropriate, of a central STfkE co- 
ordination point for the maintenance of records of selected techniques, 
procedures, standards, arid tests used in the testing and evaluation of 
security features of ADP Systems which may be suitable for validation 
and use by other Department of Defense Components. 

10. Justification of information requirements under the provisions 
of DoD Directive 5000. 19. 

11, Notification to the DASD(SP) of major ST&E plans, problems 
and accomplishments, as appropriate. 

1-103 Arran geme nt 

This manual is divided into sections, parts, and paragraphs . Each 
section is designated by subject and Roman numeral (e. g. , I, II, III, 
etc. ), and covers a separate aspect of implementing, deactivating, 
evaluating, testing, and approval of the security features of resource- 
sharing ADP Systems used to handle classified material. Each part 
is designated by title and Arabic numeral (e. g. , 1. , 2. , 3. , etc. }, 
and contains a breakdown of the subjects covered by the section into 
related divisions. The paragraphs are a further division of the parts. 

They are so numbered that the first digit indicates the section, the 
second digit, the part arid the last two digits, the paragraph (e. g. , 

1-103, designates Section I, part 1, paragraph 3; 2-3 14, designates Section J.I, 
part 3, paragraph 14). The manual is designed to permit subsequent 
insertions of additional looseleaf parts and paragraphs within the ap- 
propriate section without major reprint of the entire publication. 


1-104 Amendments 

This manual will be amended from time to time and, unless otherwise 
specified in any amendment, the amendment will be effective upon 
publication. 


5 
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1-105 Component Procedures 


Roirtponents 

« Co^-ncit Silt" o^dX SSSpSySStS Secretary , of 

3s « ss& ss&jarsss 

•part of this manual which is being augmented. 
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SECTION I 

Part 2. DEFINITIONS 

* « .1 . 

1-200 Access 

The ability and the means to approach, communicate with (input to 
or receive output from) , or otherwise make use of any material or 
component in an ADP System. . 


1-2C1 Automatic Data Processing; (ADP) System 

An assembly of computer equipment, facilities, personnel, software, 
and procedures configured for the purpose of classifying, sorting, 
calculating, computing, summarizing, storing, and retrieving data 
and information with a minimum of human intervention. ADP Systems 
as defined for purposes of this manual are the totality of Automatic 
Data Processing Equipment (ADPE) and include: 

a. General and Special purpose computers (e.g., digital, analog, ■ 
or hybrid computer equipment); 

b. Commercially available components, those produced as a result 
of Research and Development, and the equivalent systems created 

from them, regardless of size, capacity, or price, which are utilized 
in the creation, collection, storage, processing, communication, dis- 
play, and dissemination of classified information; 

c. Auxiliary or accessorial equipment, such a.s, data communications 
terminals, source data automation recording equipment (e.g., optical 
character recognition equipment, paper tape typewriters, magnetic 
tape cartridge typewriters, and other data acquisition devices), data 
output equipment (e.g., digital plotters and computer output microfi Invars) , 
etc,, to be used in support of digital, analog, or hybrid computer equip- 
ment, either cable -connected, wire-connected, or self-standing; 

d. Electrical accounting machines (EAM) used in conjunction with or 
independently of digital, analog, or hybrid computers; and 

e. Computer equipment which supports or is integral to a weapons 

system. ; 
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1-202 AT)P System Security 

Includes all hardware/software functions, characteristics, and 
features, operational procedures, accountability procedures, and 
access controls at the central computer facility, remote computer 
and terminal facilities, and, the management constraints, physical 
structures, and devices; personnel and communication controls needed 
to provide an acceptable level of protection for classified material 
to be contained (1-20S) in the computer system. 


1-203 Arrest 

The discovery of user activity not necessary to the normal processing 
of data which might lead to a violation of system security and force 
termination of the activity. 

1-204 . Breach 

Hie successful and repeatable defeat of security controls with or 
without an arrest (1-203), which if carried to consummation,' could 
result in a penetration (1-220) of the system. Examples of breaches 
are : 


a. Operation of user code in master mode; 

b. Unauthorized acquisition of I.D. password or file access pass- 
words ; and 

c. Accession to a file without using prescribed operating system 
•mechanisms. 

1-205 Briefing 

Explanation by a Test Team of' the techniques, procedures, and require- 
ments for the testing and- evaluation of 'a specific system. 
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1-206 Central Computer Facility 

One or more computers with their peripheral and storage units, 
central processing units, and communications equipment in a single 
controlled area. This does not include remote computer facilities, 
peripheral devices, or terminals which are located outside the single 
controlled area even though they are connected to the central computer 
facility by approved communication links. 


1-207 Compartraanted Intelligence 

Includes only that intelligence material having special controls indicat- 
ing restrictive handling for which systems of corap artmentat ion or handling 
are formally established. 

* 

1-208 Contained 

"Contained" refers to a state of being within limits, as within 
system bounds, regardless of purpose or functions, and includes any 
state of storage, use, or processing. 

1-209 D ebrief ing 

The Test Team oral exit report of its evaluation of the security 
features of the ADP System. 


1-210 Dedicated Mod e 

An ADP System is operating in a dedicated mode when the central computer 
facility and all of its connected peripheral devices and remote terminals 
are exclusively used and controlled by specified users or gi'oups of users 
for the processing of a particular type(s) and category (ies) of classi- 
fied material. 


1-211 Escort (s ) 

Escort(s) are duly designated personnel who have appropriate clear- 
ances and access authorisations for the material contained in the 
system and are sufficiently knowledgeable to understand the security 
'implications of and to control the activities and access of the 
individual being escorted. (Such action is essential to the protection 
of classified material contained in the system and to the maintenance 
of the reliability of the. security features j_ hardware or software/ of 
the system. ) 
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1-212 


Evaluator (s) 


Personnel specifically designated to participate in the Test Team 
re^rLSsls, taking, and evaluation of the security features 

of an ADP System. 


1-213 Evaluation 

The evaluator’s report to the Designated Approving Authority descriD- 
.ing the investigative and test procedures used in ■ the analysts of the 
ADP System Security features with a description an r< ~ ld r .. 

used to support or refute specific system weaknesses the would per 
mit the acquisition of identifiable classified manual from ,ccur 
or protected data files. 


1-214 I^mgencc 

Intelligence is f.he product resulting, from the collection evaluation, 
cnalvcjs integration, and interpretation of all information concern- 
in, one or more aspects of foreign countries or areas, which islcm 
Stely or potentially significant to the development and execution or 
plans, policies, and operations. 


1-215 

Tne review and analysis of charts! assembly 

.St-Sfand related^documentation^to^determine the security provided 
bv the operating system). 


1-216 Hater ial 


'Material"' refers to data processed, 
produced by, an ADP System regardless 
reports,, data sets or files, records, 


stored, or used in, 
of form or medium, 
and data elements. 


and information 
e.g., programs. 
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1-217 Multi-Level Security Mode 

A mode of operation under an operating system (supervisor or 
executive program) which provides a capability permitting various 
levels and categories or compartments of material to be concurrent- 
ly stored and processed in an ADP System. In a remotely accessed 
resource-sharing system, the material can be selectively accessed 
and manipulated from variously controlled terminals by personnel 
having different security clearances and access approvals. This 
mode of operation can accommodate the concurrent processing and 
storage of (a) two or more levels of classified data, or (b) one or 
more levels of classified data with unclassified data depending upon 
the constraints placed on the systems by the Designated Approving 
Authority (V.C. ), 1 


1-218 Operating System (0/S) 

An integrated collection of service routines for. supervising the 
sequencing and processing of programs by a computer. Operating 
systems control the allocation of resources to users and their 
programs and play a central role in assuring the secure operation 
of a computer system. Operating systems may perform debugging, 
input-output, accounting, resource allocation, compilation, storage 
assignment tasks, and other system related functions (Synonymous 
with Monitor, Executive, Control Program, and Supervisor.) 


1-219 Orion tati on 

The formal and informal presentations and discussions with the 
authority responsible for the ADP System which supplements the 
information in the initial Security Testing and Evaluation (ST&E) 

Request and provides the system evaluators an introduction to the operat 
ing environment, the techniques used to provide system security, the 
identity and location of documentation describing the implementation 
of system security measures (e.g., 0/S modifications, etc,), ana the 
techniques available, to demonstrate the effectiveness of such measures 
in meeting requirements of DoD Directive 5200.28'. 


Approved For Release 2004/02/10 i L blA-RDP79M00096A0001 00070001 -8 



Approved For Release 2004/02/10 : CIA-RDP.79M00096A0001 00070001 -8 


1-220 


Penetration 


The successful and repeatable extraction and Identification of recog- 
nizable information from a protected data file or data set 'without 
any attendant arrests. 

1-221 Resource-Sharing Computer System 

A computer system which uses its resources, including input/output 
(I/O) devices, storage, central processor (arithmetic and logic units), 
control units, and software processing capabilities, to cnao e o 
more users to manipulate data and process co-resident programs m ^ 
apparently simultaneous manner. The term includes systems Witn one 
or more of the capabilities commonly referred to as time-sharing 
multi-programming, multi-accessing, multi-process. .ng, or cone 
processing. 


l-222 


Remo t e ly Accessed Resource- Sharing _tom2H?J^l-^IlS££B 


A computer system which includes one or more central processing 
units' peripheral devices, remote terminals, and communications 
eauilhnt or interconnection links, which allocate. tM, resources 
to one or mote user, and which can be entered from terminals 
located outside the central computer facility. 


ST&E T o ols and Equipme nt 


1-223 

Specialized techniques, procedures, criteria, standards, programs , 
Specialized auuuqu^, i cpm-ritv Testing and Evaluating 

or equipment accepted by qualified Security lesring anu ^ 

(ST&E) personnel for uniform ‘or standard use in cesti g 

ing secure features of ADP Systems. 


1-224 


Validation 


That portion of the development of specialized. ST&^ procedures 
tools! and equipment needed to establish acceptance foi joint-usage 
by one or more DoD Components or their contractors. Such Kti°“ 
will include, as necessary, final development, evaluation, and t.st g 
' 'leading to acceptance, by senior ST&E staff specialists of th,. three 
Military Departments or a Defense -Agency, and approval for join 
usuage by the DASD(SP). 
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1-225 


Verification 


The successful testing end documentation of actual on-line system 
penetration or attempts to penetrate the system m support m in 
contradiction of assumptions developed during system review -and 
analysis which are to be included in the Evaluation report. 
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Part 1. 


SECTION II 
PERSONNEL SECURITY 
CLEARANCE AND ACCESS CONTROLS 


2-100 


General 


Personnel who; develop, . test (debug)",' maintain, or use programs/ 
which' 'are classified? or which will be used to access or o eve lop 
classified material shall have a personnel security-, clearance and 
■an .access authorihatioiAKneed-to-know) s as appropriate for tne/ 
highest classified and most restrictive category of classified 
material which, they will: ..access: under sys tern constraints. 


2-101 


Central Computer Facility. 


a. Unescorted entry to the Central Computer Facility tor access 
to any of its ADI? System components' (hardware or software) shall 
be controlled and limited to personnel who are cleared, for access' 
ho the highest classified and most restricted '.category of classified 
material contained .in the ADP vSystetf, and whose need- to -know ^ has 
been ascertained by the responsible ADP Systems Security Officer. 

b. When the ADP System contains ■ compartme.ui.ed intelligence or 
SI.0P-ES1, access shall be limited to personnel who;, in addition 

to the above, have a TOP. SECRET clearance and ' an access -.'authorization 
as appropriate, for the type (s) 'of material contained in the system. 
Except as specified in Subsection 2-103, below, otner persons/, whose 
access to the area is required on a one-time or infrequent basis ^ and 
who will not have access to classified material or to the system * 
hardware or software, may. be' admitted to the 'area -when accompanied 
by an escort i (paragraph 1-211) who will be responsible for the 
visitor's activities while in the area. 
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2-102 Operation and Operating System (0/s) Programming 
Personnel 


P.e r s onne In op e r s, t i ng 


the- system .and ••controlling access 


points or -those who desi 
maintain the security fe 


gn, ....develop, Install, modify, 
atur.es, of .. the .software in the 


to its entrf 
service-, or/ 
operating 1 


system • (0/s)j which controls user program access to the system 
(I/O, storage or use) or -the key or combination by which the 
system is protected, shall" be cleared' and. ..have, .access author!*- 


nation as appropriate for the highest classified and most/ 
restrictive, .category, of hia ferial contained .In the . sys tem and shall 


be indoctrinated in appropriate security procedures for the 
particular ADP System and facility before assuming their duties. 
(Temporary or permanent modification of the 0/S shall be tested 
by designated, personnel to assure that the security features of the 
ADP System are effective. Audit trail records /Subsection 5-100/ 
of these transactions shall be maintained.) 


2-103 Mai ntenance Personnel 


Pe rs onne 2 re qui r i ng 
System (central or 
Operations of J? - the" b 
information , shall 
for the highest el.a 


access to any part or component of the ADP 
remote) which could affect or '.modify • the secure 
ys tern or permit access to classified data or' 
have .a security clearance and. access authorization 
■s.sif led . and most res brictive. category of clas-' 


pified material contained in 


the. systems 


Should it become necessary 


for uncleared maintenance personnel' - to access the ADP System they 
shall be accompanied by ah" escort/ (See 1-211) designated for that 


purpose . 
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'SECTION III 

PHYSICAL, COMMUNICATIONS, AND 
Emanations security 

Part 1. PHYSICAL SECURITY OF AREAS 
3-100 General 

Physical security considerations are essential elements in the plan- 
ning, design, installation, utilization, and evaluation of all ADP 
System facilities and installations. 


3-101 


Central Computer Facility 


a. I aysical security requirements for the central computer facility 
area will be commensurate with the highest classified- and mo st 
restrictive category of information being handled .in .-the ADP .System. 

b. If two or more computer systems are located in the same con- 
U oiled area, the equipment comprising each system may be located 

so that direct personnel access, if appropriate, will be limited to a 
specific system. 


3-102 


Remote Terminal Areas 


a. While the physical and personnel security requirements for the 
Central Computer Facility area are based upon the overall require- 
ments of the total ADP System, remote terminal area requirements; 

, bt btlf > eu U P 3U the highest, classified and most restrictive 'cate^orV 
.and type of material which" willtbe-accesSedAhrough the .terminal unde? 
system constraints'*. 

b. Eacn remote terminal will be individually identified to ensure 
required security control and protection, with .identificationas. a 
feature of- hardware, ih •'combination vvith' the operating system* 
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c. When a peripheral device or remote terminal, whether or not 
approved for the handling of classified material, is to be used by 
personnel of a component that is not responsible for the over-all 
operation and control of the ADP System, the security measures 
for the device or terminal and its area will be prescribed by the 
authority responsible for the security of the over-all ADP System. 
Such security measures will be agreed to and implemented before 
the user's peripheral device or remote terminal may be con- 
nected to the ADP System. 

d. When one or more DoD Components' ADP Systems become, 
a part of a larger ADP network, the approval and the authority to 
authorize temporary exceptions to security measures for the 
Components' ADP System in the network will require the cpn- 
currence and approval of both the DoD component operating the ^ 
ADP System and the DoD component having over-all responsibility 
for the security of the network. (See para. 3-301.) 


3-103 Disconnect Procedures 

a. Each remote terminal which is not .'.controlled and protected / 
as -required for material accessible through it will be disconnected 
from the ADP System wherq the- system' contains classified info r-' 1 
.mationb 

b. Disconnect .procedures’, when required to protect classified 

material contained in the ADP System, will be used to disconnect 
remote I/O terminals and peripheral devices from the system by 
ja. hardware or software' method authorized by the Designated Ap-' 
proving Authority. ' 

3-104 Su pplemental Requirements 

When compa r tmented" intelligence or SIOP-ESI is to be handed m 
the ADP System, the supplemental physical 'Security control- required 
by. Sections IVPLA ahd'M'. Af DoD Directive 5200. 28 . will -apply- to the 
-central computer facility:ai'eay- ; and all Areas, having .remote terminals' 
co n n e ct e d to,, thebs y s tern i 
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3-105 Adju stment of Area Controls 

a. When appropriate, provision will be made to permit adjust- 
ment of area controls to the level of protection required for the 
category or type of material actually being handled in the computer, 
its peripheral devices, and terminals, except that the Central 
;Computer Facility and those components approved for the storage 
and. processing of -classified material, will not be downgraded bemw 
the. level. required to protect' secure. communications -equipment:', to,; 
maintain the. reliability and security of the ADP System, and to 
protect essential hardwares A;software..;components.of the;,ADP.v 
System; 

b. If the minimum measures for the Central Computer Facility, or 
ADP System are suspended or discontinued for any reason, the 
security features of the system will be re-evaluated, as would any 
new system or component before again beings approved for the 
processing of classified material. / 
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SECTION III 

Part 2.. ' PHYSICAL SECURITY OF EQUIPMENT 


3-200 General 

While procedural or specialized techniques to be applied by 
Components, have, in the past, been largely left to i.heir discretion, 
it is contemplated that as specialized techniques are developed and 
tested they will be published either in this manual or ics associated 
newsletter. 


3-201 Equipment Application 

Counter-measures to Physical Security Hazards such as fire, 
natural disaster, sabotage, and environmental problems (e. g. , ^ 

power failures) are also being prepared. for coordination, approval, 
and publication in this section of the manual. 
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SECTION III 

Part 3. COMMUNICATIONS SECURITY 


3-300 


Commun i c a t Ion Links 


Transmission and communication lines and links which provide secure 
communications between components of or to an^AUP System will bo 
secured in a manner appropriate for the material designated for 
transmission through such lines or links under the provisions _ of 
DoD Directive C-5200.5, DoD Directive 5200.1, and. DoD Regulation 
5200. 1(R). Telecommunications facilities supporting ADP Systems 
will meet the security criteria used for Defense Communications 
System under DoD Directive 4630.1. 


3-301 In terfac e with Communications Networks, 

The DoD component that operates an ADP System which requires only 
communication support from telecommunications networks such as ^ 
AUTODIN will determine the security requirements for the handling 
of classified material in its ADP System. The . security measures 
to be agreed to and implemented before connection with the 
communication network are limited to those needed to insure the 
development, interface, and integration of secure, reliable, 
survivable, and cost-effective transmission and communication 
lines and links which are needed to meet the communication require- 
ments of the telecommunications network supporting the ADP System. 


3-302 S torag e and Forward Message Switches 

Information in this section will be added following further coordination 
and approval. 


3-303 Multiplexers 

Information in this section will be added following further coordination 
and approval. 
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SECTION III . 

Part 4. EMANATIONS SECURITY 


3-400 Emanations Control 


Measures to control compromising emanations are subject to approval 
under the. provisions of DoD Directive S-5200.19, by the cognizant 
authority of the Component approving the security features of the 
ADP System. Application of these measures within industrial 
ADP Systems is only at the direction of the contracting activity 
concerned under provisions of Section IV. N. of DoD Directive 5200.28 
and the requirements are to be included in the contract . 
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SECTION' IV 

HARDWARE l/S OFTWAKS FEATURES 
Part 1. GENERAL 


4-100 Application 

A combination of hardware and software, features are essential to 
provide protection for material stored or processed in the secure 
resource-sharing ADP System. While all of the. 'following feature's* 
may not be available ' in the current hardware or software or. .a/ 
’combination thereof , : they shall be provided "at the earliest datenthatf 
the state-of-the-art permits' The available hardware/ software 
features outlined below should operate unabridged whenever clas- 
sified material is contained in the resource-sharing ADP System 
and measures shall be implemented to provide special controls over 
the access to or modification of such features. Where possible* 

and practicable such features' should ■ contain, two or more inde- 
pendent controls .which would have to malfunction simultaneously/ 
for, a breach of system; s.e.c.ur-lty to occur*. 
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SECTION IV 
Part 2. HARDWARE 
4-200 Hardware Features 

a. The execution, state of .a . processor should include one or mor.b 
variables, i. e. , "protection state .variables/', iwhich determine the 
interpretation of instructions 'executed ''by the processor. For 
example, a processor might have a master mode/user mode pro- 
tection state variable, in which certain instructions are illegal 
except in master mode. Modification of the protection state 
variables shall be so constrained by the operating system and hard- 
ware that a user cannot access information for which he has no 
authorization. 

b. The ability., of: a processor to access.locatibns. in memory 
(hereinafter to include primary and auxiliary memory) should bd 
i'contr oiled /(e. g. , in user mode, a memory access control register 
might allow access only to memory locations allocated to the user 

by the O/S). 

c. 'The operationkof 'Certain' . instruct! one should depend oh the prof 
tection state of the process or 4 For example, instructions which 
perform input or output operations would execute only when in 
master mode. Any attempt to execute an instruction which is not 
authorized should result in a hardware interrupt which will permit 
the O/S to interrupt and/or abort the program containing the ille- 
gal instruction. 

d. All pos s ibl d 'operation codes with : ail' possible' tags Tor. modifiers/ 
Whether. .legal '.or : not,- 'should produce known responses by the computer, 

e. All registers should be capable" oRprotectitig their; content by? 
error: detection or redundancy" checks'. These include those which 
set protection state variables, control input or output operations, 
execute instructions, or which are otherwise fundamental to the 
secure operation of the hardware. 
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f. Any register which can be loaded by the operating ays tena should 
also be storable, so as to permit, the. O /S to '.check its current contents/ 
against its presumed contents. (The term "register" as used in e. 
and f. refers primarily to index or general purpose registers rather 
than an isolated address of a single storage location within_the com- 
puter. ) 

g. hrror detection should be performed oh each fetch cycle of anr 
instruction and. its operant (eugvb parity check -and -address- bounds 
check). 

h. (Error detection’ (e. g. , parity checks) and memory bounds check-/ 

ing should be performed oh transfers of data between memory and 
storage. devices; .or terminals? • | 

i. Automatic programmed interrupt s ho u.ld...functio.n. to control' 
’system and -operator malfunction/ 

j. The identity of 'remote terminals. for input or output should be 
a, feature of hardware -in combination with the' operating system'. 

k. Read, write,' and execute access' rights of the' user, should be 
verified on. each, fetch cycle -of ah' instruction and its operant/ 
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Part 3- 


SECTION IV 


OPERATING SYSTEM (0/S) 


4-300 General 

The u^r:anG.master;modes :of. ADE Systems operation^ Ahall A>e ^s^ated 

60 that a program operating .in a u s er. m°ae xs px ev^n ^ /q/J)' s 

. .. a *3 much ot the opGrcttr^ii^, system v'-'/ 0 / . 

. coiftroj- .’^j.onb • . , i.*, ^ wo cfpv mode j 

P an.1aeh oSyTmuch frcldo, of the computer 

as it needs to do its job. 


4-301 0/S Controls - 

*•»« *>««** Officer. 

As a Kiin'imiEi',* the O/S must control- 

? All transfers • of material ' between' memory :arid < on- line storage^device a , 
between the central computer .facility equipment.. and any.remo a •*-» 

... , . . ..•> ^•nv^ma fla\r~ nan J and 


k./ V V w . w*-*-w . — ■ ■*• 

or be t ve on on-line: .storage devices. 


j.. j xri fh ft 1 1 oc* ut in. 0 * ADP System resources ? 
b. All operations associated with allocaiiu 0 yf „ vqteia . 

ter» = 5*r=« - 

„• fecess to programs ana'utJ jitira 

i-ious cat4 0 ?icl of waitttenunc* (e.g., at operations which ef.ee. 

““ncSainf-y ofSfS^ntfSrfiil^^chYoSrois shall 
insure* that access is limited to personnel authorised to perform 
particular categories of maintenance; and 

Ml v - vyoMV”(user^ is Jflad ®‘ 

vA an access -onAoAand' ..identification - system.-which 'associates uie useh 

aS'Si^Acrminali'intrthbCADP. System, with' the material- bemg accessou. 
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4-302 Test and Debugging Prcgr arris 

User application programs , and systems programs which do not violate 
the security or integrity of the ADP System, may be debugged during 
system operation, provided that such -.activity..., i.s.: limited,,. to the user 
JjJQ.de. All other system software development, experimentation, testing^ 
and debugging shall be performed on a system temporarily dedicated for 
these purposes . 


4-303 Clear System Procedures 

Procedures shall be available for clearing from the system, or making 
inaccessible, all classified material during operations without the 
required protection. 

4"304 Shutdown' and Restar t 

The 0/S must provide for security safeguards to cover unscheduled system 
shutdown (aborts) and subsequent restart, as well as for scheduled 
system shutdown and operational start-up. 

4-305 O ther f undamental Features 

The following features of the operating system (0/S) are also considered 
fundamental to the secure operation of an ADP System. Unauthorized 
attempts to change, circumvent, or otherwise violate these features 
should be detectable and reported within a known time by the operating, 
system causing an abort or suspension of the responsible user activity. 
In addition, the incident shall be recorded in the audit log, and the 
ADP System Security Officer notified, 

a. Kemory/Storage'- Protection. -■ The' 'Operating-rSysteni-'shall protect the' 
security ef . the ADP System by controlling': 

1. ■ Resource alloc a'tTorf (including primary and auxiliary memory); 

2 . Memory - access ' outside "of ’'&s¥igftbd 7 af eas* and 

3. The execution :of. 'master:. (supervisory) modesinstructions"' which ' 
.CQUld .adversely ■- affect: the.. -security, of thev-O/S*. 
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b , .Memory Residue •*“ The 0/o snail ensure than c 
critical elements of the system do not remain as 


.ass if led n 
accessible 


terial or 
residue in 


memory or on on-line storage devices. 

c. Access Controls Access to material stored within the ADP System 
shall be controlled by the ADP System Security Ofiicer, as required by 
cognizant authority, or by automatic processes operating under separate 
and specific controls within the 0/S established through hardware, 
software, and procedural safeguards approved by the ADP System Security 
Officer. 


d. ? Security ■-labels* - All classified material accessible by or within 
the ADP System shall be identified as to its security classification and 
access or dissemination limitations, and all output of the ADP System 
shall be appropriately marked. 


e. Terminal Identification/- Manual and adminis brative procedures and/or 
appropriate hardware/software measures shall be established to assure, 
that the terminal from which personnel are attempting to access classified 
material has been protected and is authorized such access. Where. a 
terminal identifier is used, for this purpose, it shall be maintained 
in a protected file. 


f. User Identification 7 - Where needed to assure control of access and 
individual accountability, each user or specific group of users shall 
be identified to the ADP System by appropriate administrative or 
hardware / software measures,. Such identification measures must be in 
sufficient detail to enable the AD? System to provide the user only 
that material which he is authorized. 
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SECTION V 
AUDIT LOG OR FILE 


Part 1. GENERAL 


5-100 Application 

An audit log or file (manual, machine,- or a combination of both)' 
shall be maintained as. a history -of the use of the ADP System' «o 
permit'..- a . regular security review of system activity, (e.g. The 
log should record security related transactions, including each 
access to a classified file and the nature of the access, e.g. 
logins, production of accountable classified outputs, and creation 
of new classified files. Each classified file successfully accessed 
j/regardless of the number of individual references/ during each 
lf job" or "interactive session" should also be recorded in the 
audit log. Much of the material in this lcfg may also be required 
to assure that the system preserves information entrusted to it.) 
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SECTION VI 
BASIC SAFEGUARDS . 

Part 1. GEJffiRAL . 

6-100 Application 

Procedures and basic safeguards prescribed in DoD Directive 5200. 1, 
and DoD Regulation 5200.1(H), for the transmission, processing, handling 
storage, and disposal of classified material apply to the material 
removed from the custody of the system. Further, when located outside 
of the central computer facility or its approved remote terminal areas 
all disc packs, tapes, etc., used to store classified material shall be 
protected and stored as appropriate for. the classification of the 
highest category of material ever recorded thereon until declassified 
(see Section VII) . . , 

■ I 
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SECTION VII 

S' 

ERASE AND DECLASSIFICATION PROCEDURES 
Part 1. INTRODUCTION 

7-100 Genera l 

The following procedures and specifications result from extensive 
research, investigation, and practice. They are adequate to the 
extent of such research and investigation, but, do not necessarily 
represent the ultimate status to be reached in this aspect of 
computer security. It is, therefore, anticipated that they will be 
improved through continued testing, evaluation, and usage by 
DoD Components. 

t 

7-101 During Operations - During normal operations in a controlled 
environment each memory location'used for the storage of classified/ 
data shall be overwritten when it is no longer required, before re- 
utilization, or before the content of the location may be read to 
preclude the unauthorized disclosure of classified data. Hardware/ 
software techniques may be used to accomplish this task. When any 
of the memory units or storage media are removed from the controlled 
environment, the procedures in Section VII Part 2. , below, shall 
apply. 


I 
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SECTION VII 

Part 2. ERASE PROCEDURES 


7-200 General 

a. Safeguarding classified information in a computer 
system requires special precautions because of the type of-tow* 
media and devices (magnetic drums , discs, disc packs, and tape } 
used to store, record, or manipulate data which must be 
by appropriate classification and security controls until procedur 

below are carried out. 

b Declassification - The eventual temporary or outright release 
oi the storage device or a system including storage media . should be 
anticipated. Procedures to be used to release or deploy the storage 

media are as follows : 


7-201 Magn etic Tapes 

Taoe* used to store magnetically recorded digital data may be de- 
classified by erasing with bulk tape degausser* suvhxcn have been 
tested and approved by a laboratory oi a Department oi Dt - ~ _ 
Component or a commercial testing laboratory, where such pests 
may be certified, by adhering to test methods and performance 
• criteria in technical specifications promulgated m Seccion \ L. . 
Elements of DoD Components may, where necessary, deve.op pro- 
curement specifications for their use, provided the test methods 
and performance criteria comply, as a minimum, with the 
specifications in Section VIII. 


7-202 Magnetm Disce, Disc Packs, Drums .^dmherjimilar 
-Ma gnetic Storage Devices 

The equipment shall be checked immediately prior to beginning the 
'overwrite procedure to insure that malfunction. *> £ 

will prevent the classified information from De.ng 
written. Further , when the capability exists , as an inlcg P 
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the storage subsystem, ; an AC/DC erase! will be applied to all data 
tracks before the tracks are overwritten and the overwrite verified. 
Thereafter, all storage locations will be overwritten; a immmum'ot / 
three times, once, with Ihe binary digit ''I'b once with the binary 

digit n G", and once with a single numeric alphabetic, or spec.di, 
character. Such alpha- numeric or other unclassified data shall 
be left on the device. The current used in overwriting must be ^ 
equal to that used in recording the information, but of a strength 
which will not damage or impair the equipment. 


-203 inoperative Magnetic Discs, Disc Packs ± Drums, and_ 


Similar R igid Storage Devices 


j f the storage device has failed in such a manner that it cannot be, 
overwritten the device may be declassified by exposing the /recording 
sur-face(s) to a permanent magnet having a field strength at the re- 
cording/ surface of at least 1, 500 OERSTED-. Care must be taken to 
insure that entire surface is wiped at least three times, by a non 
uniform motion of the magnet. Care must be taken to assure than 
all tracks are covered by the center of the magnet. A thin sheet 
of clear plastic (a 1-5 mil sheet) should be used to prevent damage 

to the recording surface(s). 


7-204 Inter nal Memory 

Internal memory <e. g. 7 core) may be declassified by alternately «*- 
ting each addressable memory location alternately to ail ones nn 


all " 


for 1000 cycles until the state is 


UJ1 j-eros" for J.uuu cycles uum urc *>*.«. t-v. — changed at leas t )9 7 > 
timest Detailed memory erase or clearing programs or routines 
should be prepared by qualified ADP programmers and approved 
by the ADP Systems Security Officer. 


7-2 05 Magnetic Storage Media U s ed to btor e_A nal^_gj___Yid_epj — 01 
S imiiar~Non- Digital Inform ation 

■-Magnetic tape used to record analog, video, or similar types of non- 
digital information may be declassified by degaussing as m 7-ZCi, 
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above. Rigid magnetic storage surfaces may be declassified as 
in 7-202, above, except that the unclassified overwriting signal 
must be analog instead of binary with the latter recording left 
intact on the device. In the case of a failure of the degausser or 
overwriting methods, a permanent magnet may be used as in 
7-203, above, for rigid recording surfaces. 


( 
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SECTION VII 

Part 3. DISPOSITION APPROVAL 
7-300 General 

V ith the specific approval, in each "case of the Designated (systems) 
Approving Authority, or his designee for this purpose, within the 
DoD Component that is responsible for the security features of the 
ADP System, storage media "treated as above niay.be handled.- as? 
unclassified .and released as necessary. 


7-301 Records 

A record of the'above ope rations rs hall be ■'maintained' for a period 
of cwo (2). years after disposition, of the device or '.equipment. 


7-302 Specific Guida nce 

a. Guidance for eradication of magnetic media not covered above 
may be obtained, by submission of all pertinent details to the Deputy 
Assistant Secretary of Defense (Security Policy), OASD(C), for' 
consideration on a case-by-case basis. 


b. In the absence' .of eradication by 'approved equipment or : procedure 
or at the direction of the designated official responsible for the ADP 
System's security ica.tu.res, magnetic information storage media shall 
be safeguarded in ■the'mhhiTe'r 'prescribed for:. the. highest classification 
ever r e corded ..the r.e.on. :until :it ■ tsv.de s tr-oyed. 

i • 
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SECTION VIII ■ 

SPECIFICATIONS FOR MAGNETIC TAPE ERASE EQUIPMENT 

Part 1. EQUIPMENT SPECIFICATIONS 

8-300 Mag n etic Tape Degausser Specifications 

This specification, covers an equipment to be used for automatic 
bulk degaussing of recorded magnetic tape. It describes in general 
the desired configuration and sets forth desired electrical and 
magnetic performance. 

8-301 Requirements 
a . General 

1. Reel Size. The equipment shall be designed to degauss 
magnetic tape in widths from 1 to 2 inches, wound on reels from 

3 to 15 inches in diameter, with provision for conversion to either 
5/] 6 inch hubs or computer reel hub dimensions. It will be permis- 
sible to turn over 2 inch reels for degaussing, 

2. Inst alla t ion. The equipment shall be designed such that 
either rackmounting or bench top operation can be accommodated with 
minimum modification. 

3. Operation. Operation shall be automatic once the reel is 
loaded and the degaussing cycle is initiated, except for 2 inch wide 
tape which may be cycled twice. The degaussing operation shall 
not require more than two minutes per reel. 

4. Degaussing Safe guard. A method of monitoring the relative 
current in the degaussing coils shall be provided. 

5. Safegu ard T ape Unwin ding. For vertically mounted degaussers 
a method of reversing the direction of reel rotation while cycling shall 

\ be provided. This reversal of reel direction must not interrupt the 
degaussing cycle. This safeguard prevents the unwinding of tape 
while cycling. 
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b. Detailed Requiements 

1. Electrical Power. The equipment must meet all requirements 
over the following parameter ranges: 

(a) Input Voltag e Ran ge - 95 to 135 VAC, single phase, 
three wire system. 

(b) Line Frequency Range - 48 to 62 cycles per second. 

(c) Power - The current drain shall be less' than 20 amperes 
for any of the foregoing conditions of line frequency and 
voltage. 

c . Mechanical 

1. Cabinet. The equipment shall be designed for mounting in a 
standard 19 inch rack and shall have -minimum height and weight ac- 
cording to the design requirements. 

2. Fi nish. Surfaces shall be adequately protected against corrosion 
within the environments detailed under section d. , below. 

d. Environmental Performance. The equipment shall perform to 
specification when operated in the environments listed in the following 
paragraphs: 

1. Alt itude . Non-operating: sea level to 50, 000 feet 

Operating: sea level to 10,000 feet 

2. Rela tiv e Humidity. Operating and non-operating; 5 to 100 
percent, no condensation. However the equipment shall survive condensatio 
after being dried out. 

3. Tempe rature. Non-operating: -40° to 7 1° C 

.Operating: 0°C to +55° C 

4. Vib rati on and Sho ck. Non-operating. The equipment shall survive 
\spe cified. test methods which are intended to simulate shock and. vibration 

levels expected in commercial shipping and handling. 


Approved For Release 2004/02/10 : ££A-RDP79MOO096AOOO1 00070001 -8 



Approved For Release 2004/02/10 : CIA-RDP7STM00096A0001 00070001 -8 


e . Performance. 

1. Deg aussin g, Level. The residual signal level after degaussing 
shall be a minimum of 90 db below saturated signal level for tape 
widths of 1 inch or less. 

2 . Duty Cycle. Design shall be. such that continuous operation, 

1. e. , a duty _ cycle~of 100% may be used. Under conditions of continuous 
operation, the temperature rise at the reel face of the equipment shall 
not exceed 35°F above ambient. 


8-302 Test Procedure. 
a • Equipment. 

1. Recorder /Reproducer with full track 1/4" heads. 

2. Audio Oscillator 

3. Wave Analyser with 20 ops bandwidth 

4. Oscilloscope 


b. Proced ure . 

1. Record. Record tapes with a 400 ops signal at /' ips with 
the record leveTset for saturation. Measure the playback signal 
level using the wave analyser on the 20 ops bandwidth position and 
the recorder playback gain set at maximum. This is the reproduce 
reference level. 


NOTE: The saturation point shall oe defined by the 

tape transfer curve as the output level foi 
which input levels L and 2: produce the same 
output. (See Figure No. 1} 

I 1 


2. De gaussing. Degauss the tapes. 

NOTE: To evaluate the ability to degauss wider tape 

widths two, three, and four 1/4 inch reels can 


.3 7 
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be taped together for the degaussing procedure. 

To simulate the larger diameter reels a special 
15" X 1/4" reel would have to be used. This 
' can be constructed by interchanging a standard 
1/4" hub and 15" flanges. 

3. Playback. Playback the degaussed tapes with the playback 
gain set at maximum. Tune the wave analyzer {2 0 ops bandwidth) 
to measure any residual signal level, 

NOTE : Clean and degauss tape recorder threading 

path before each pass. 



i 

v 
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SATURATION 

INPUT 

LEVEL 



OUTPUT LEVEL 
FIGURE No. 1 

t 
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SECTION IX 

SECURITY TESTING AND EVALUATIONS (ST&iE) 
Part 1. GENERAL 


9-100 Purpose 

a. To develop and acquire methodologies, techniques, and standards 
for the analysis, testing, and evaluation of the security features of 
ADP Systems. 

b. To assist in the analysis, testing, and evaluation of the security 
features of ADP Systems by developing facts (for the Designated 
Approving Authority) concerning the effectiveness of measures use 
to secure the ADP System in accordance with Section VI of DoD 
Directive 5200. 28, and the provisions of this Manual. (See Sections 

II, III, and IV. ) 


c. To minimize duplication and overlapping of effort, improve the 
effectiveness and economy of security operations, and provide for 
the approval and joint usage of ST&E Tools and Equipment. 


40 
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SECTION IX 

Part 2. 


9-200 Procedure s 

The procedures and other portions of this section will be published 
following additional testing and coordination. 



c 
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